Remediation

The following are guidelines for working with script-initiated window calls in a process running the Windows Restrictions security feature control:

For windows opened by using window.open:

Expect the status bar to be present, and write your code accordingly. The status bar is On by default and is 20-25 pixels in height.

Adjust your window's size and content so that it fits well visually with the window's overall size. The window does not cover the taskbar, so it might lose 40 pixels if the status bar is On and you do not account for the taskbar. Size the window vertically no more than 30 pixels outside the taskbar.

Do not open windows off-screen. Internet Explorer moves windows by the smallest offset of x- and y-coordinates, enabling the window to fully display onscreen.

When designing, you must consider how the display theme, the font size, and the resolution impact the display of the window.

Note

Using the window.open method with Fullscreen=Yes results in a maximized window, not a kiosk-mode window.

For windows opened by using window.createPopup:

Adjust your window's size and content so that it fits well visually with the window's overall size. With this new feature, the window does not cover its parent window's title bar or status bar, so it might lose 40 pixels if you do not account for the title and status bars. Vertically size the window no larger than the currently visible area of the page.

Do not open chromeless windows (Internet Explorer frame windows that do not include a status bar, address bar, or title bar) outside of the HTML rendering surface of Internet Explorer. Internet Explorer moves windows by the smallest offset of x- and y-coordinates, allowing the window to fully display inside the client area.

Important

There is one exception: Up to half of the window can exist outside the left or right edge of the Internet Explorer client area.

When designing, you must consider how the display theme, the font size, and the resolution impact the display of the window.

By default, sites in the Local Intranet and Trusted Sites zones enable windows to open and to create pop-up windows. When developing an extranet Web application, you might be able to configure your user's browsers to add the Web site to one of these zones.

Windows Restrictions and the Registry

You manage the Windows Restrictions with a security feature control registry key (FEATURE_WINDOW_RESTRICTIONS). Internet Explorer (Iexplore.exe) and Windows Explorer (Explorer.exe) run under this feature control by default. The following list shows the registry keys and enabled processes:

Applications that host the WebBrowser control can also take advantage of the security feature control, by adding their process to the same registry locations. You can do this programmatically, by using the CoInternetSetFeatureEnabled function.

Note

If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer

What Happens If I Disable This Security Feature?

The visible security features of Internet Explorer windows, like the status bar, provide information to help users to determine the source and the security level of a Web page. If there are hidden security elements, users might believe they are on a trustworthy page or are interacting with a system process instead of a malicious host. Malicious use of window relocation can present false information to the user, obscure important information, or otherwise spoof important elements of the user interface in an attempt to motivate the user to take unsafe actions or to divulge sensitive information.